Apple MDM Solutions Comparison: A Buyer's Guide

MDM solutions offer a few ways of enrolling devices—meaning putting those devices under management:

• Automated enrollment: Automated enrollment lets IT teams deploy settings, policies, and apps to devices remotely, without manual intervention. In the Apple world, this process is known as Automated Device Enrollment (ADE) and starts with adding devices to Apple Business Manager (or, in education settings, Apple School Manager). It streamlines setup and gives admins the confidence that devices will be enrolled and under management as soon as they are activated. This is the golden path, the best way to enroll devices if you can.
• Device enrollment: Some company-owned devices may not be in Apple Business Manager (or Apple School Manager), and so can’t be added by ADE. But they can still be enrolled in MDM manually, often by means of having users visit an enrollment portal. Device enrollment can enforce supervision, which gives admins extensive control over the device.
• User enrollment: Not as universally supported as those first two, User Enrollment allows employees to use personal Apple devices for work purposes, while still allowing IT admins to manage and secure corporate data.

You can also enroll devices using Apple Configurator. This is less scalable than ADE, but it is useful in certain cases. Apple Configurator for iPhone can provisionally enroll Mac computers into Apple Business Manager (or Apple School Manager)—”provisionally” in the sense that the user of the device has 30 days to release the device from management.

Ideally, an MDM solution provides tools for customizing the enrollment process. This means supporting things like:

• Branding and customization: MDM solutions may allow IT admins to customize the screens users see during enrollment with things like the company logo. This helps to create a consistent and professional experience for end-users during that enrollment process.
• Pre-configured settings and policies: Many solutions let admins define settings and policies for the enrollment process, things like Wi-Fi settings, email configurations, security policies, and more. This means devices can be configured correctly from the get-go.
• Third-party integrations: MDM solutions may support integrations with third-party solutions that are specifically relevant to the enrollment process—things like inventory or HR systems. (For more on integrations, see below.)

Good MDM solutions offer a range of tools to help automate management processes. Those tools can include:

• Automated enrollment: As mentioned above, most MDM solutions offer automated enrollment options that enable IT admins to automatically enroll devices in MDM as soon as they are activated.
• Automated app deployment: Many MDM solutions also offer automated app deployment options, which enable IT admins to install and update apps on managed devices automatically. This obviates the need for end-users to install and update the software themselves.
• Automated compliance monitoring: MDM solutions can monitor devices for compliance in real-time, automatically flagging any devices that fall out of compliance and, in the best cases, automatically remediating those lapses.
• Automated security policies: MDM solutions can automatically enforce security policies across managed devices—things like enforcing passcode policies, configuring VPN settings, and more.

As we noted at the top, some MDM solutions rely on agents—always-on mini-apps running on Mac computers—to automate some processes that are outside the scope of the MDM framework. They are particularly helpful with offline remediations, because the agent can continue to ensure adherence to policies even when the device is out of touch with the MDM solution.

Apple itself is extending that basic MDM framework with the introduction of declarative device management (DDM), which will push some of the functionality currently handled by server-side automation tools down to devices themselves. Support for DDM is gaining traction among MDM vendors and will transform Apple device management in the years to come.

MDM solutions typically offer tools to help manage the apps on user devices. That management can take many forms:

• App deployment: As noted above, MDM solutions can help automate the deployment of apps to end-user devices. This can mean automatically installing apps on devices at setup and/or then updating those apps over time as new versions are available. Ideally, the solution can do so intelligently, installing one set of apps on one set of devices and another set on another.
• App catalogs: Some solutions also let admins create and manage customized app catalogs for end-users, making it easier for those users to find and install the apps they need for work without resorting to downloading them from public sites and installing them manually.
• Allow and block lists: In some cases, MDM solutions can maintain lists of apps that admins don’t want their users to install and enforce those bans when users try. Alternatively, the solution might allow the admin to create a list of apps that are allowed; if a user tries to install one that’s not on the list, the solution will prevent them from doing so.

One key to using MDM to distribute apps (as well as book content): Apple’s Apps and Books program, through which an organization can license and distribute that content. Access to that program comes through Apple Business Manager (or Apple School Manager), which we’ll get to in a minute. Ideally, the solution you choose supports multiple Apps and Books tokens. These provide greater flexibility (in terms of assigning and managing content for different users or groups), better control and security, and easier budgeting.

A good MDM solution should also give you control over updates and upgrades to the operating systems on end-user devices. That can include configuring devices so they automatically update to the latest version of the operating system as soon as it becomes available, or establishing rules for the deferment of OS updates, to give you time to test releases for compatibility with your existing software. Keeping managed devices current with the latest OSes is vital for security—but it can also introduce unexpected incompatibility issues. Your MDM solution should allow you to balance both.

MDM solutions can’t operate in isolation; they have to exist—and thrive—in a wider software ecosystem.

At a minimum, they should integrate with Apple Business Manager (or Apple School Manager), to manage device deployment and automate device enrollment and take advantage of Apps and Books. They also need to integrate with the Apple Push Notification service (APNs), which, as a conduit for communications between the MDM solution and devices, is a cornerstone of Apple’s MDM infrastructure.

Ideally, the solution you choose can also integrate with other SaaS tools. For example, connecting your MDM to your identity provider (IdP) facilitates the integration of device and user stores, which in turn can let you do things like managing devices based on user attributes. Integration with an inventory management system can help coordinate the lifecycle of the devices in your fleet.

One type of integration is particularly important: By integrating your MDM with security and compliance tools, you can automate the process of collecting compliance data and remediating security settings.

MDM can help you make sure—and provide proof that—you’re enforcing compliance requirements such as encryption, passcode policies, Lost Mode, Activation Lock, and more. Some may provide the ability to remotely wipe corporate data from lost or stolen devices. As noted above, your MDM solution may help you block the installation of unauthorized apps. More generally, it can collect the device information you need for compliance reporting.